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SUMMARY & CONCLUSIONS 

Presented were Reliability Analysis, consisting primarily 
of Failure Modes and Effects Analysis (FMEA), and System 
Safety Analysis, consisting of Preliminary Hazards Analysis 
(PHA), performed to ensure that the CoNNeCT 
(Communications, Navigation, and Networking re- 
Configurable Testbed) Flight System was safely and reliably 
operated during its Assembly, Integration and Test (AI&T) 
phase. A tailored approach to the NASA Ground Support 
Equipment (GSE) standard, NASA-STD-5005C,[1] involving 
the application of the appropriate Requirements, S&MA 
discipline expertise, and a Configuration Management system 
(to retain a record of the analysis and documentation) were 
presented. Presented were System Block Diagrams of selected 
GSE and the corresponding FMEA, as well as the PHAs. Also 
discussed are the specific examples of the FMEAs and PHAs 
being used during the AI&T phase to drive modifications to 
the GSE (via “redlining” of test procedures, and the placement 
of warning stickers to protect the flight hardware) before being 
interfaced to the Flight System. These modifications were 
necessary because failure modes and hazards were identified 
during the analysis that had not been properly mitigated. 
Strict Configuration Management was applied to changes 
(whether due to upgrades or expired calibrations) in the GSE 
by revisiting the FMEAs and PHAs to reflect the latest System 
Block Diagrams and Bill Of Material. The CoNNeCT flight 
system has been successfully assembled, integrated, tested, 
and shipped to the launch site without incident. This 
demonstrates that the steps taken to safeguard the flight 
system when it was interfaced to the various GSE were 
successful. 

1 INTRODUCTION 

The National Aeronautics and Space Administration 
(NASA) is developing an on-orbit, adaptable, Software 
Defined Radio (SDR) and Space Telecommunications Radio 
System (STRS). It will be a test-bed facility on the 
International Space Station. The CoNNeCT Project’s 


operational name for the flight system is the SCaN (Space 
Communications and Navigation) Testbed. The SCaN 
Testbed payload will launch on the HTV-III vehicle, and be 
installed on the Express Logistics Carrier (ELC) 3 at the P3 
location on the International Space Station (ISS). Figure 1 
shows the SCaN Testbed on the ELC 3 at the third port, P3, 
location on the International Space Station (ISS). The 
CoNNeCT flight system will provide an adaptable Software 
Defined Radio (SDR) / Space Telecommunications Radio 
Systems (STRS) based facility to conduct a suite of 
experiments to advance the SDR/STRS Standards, reduce risk 
by advancing the Technology Readiness Level (TRL) for 
spaceflight hardware and software, and demonstrate space 
communication links critical to future NASA missions. 



Figure 1: The SCaN Testbed on the ISS 


Figure 2 shows the SCaN Testbed integrated onto the 
ExPRESS Pallet Adapter (ExPA). The ExPA provides the 
flight system with all its needed interfaces for mechanical 
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attachment, power, and data to the ISS. It was provided to the 
CoNNeCT project as a piece of Government Furnished 
Equipment (GFE) that already had been certified for flight by 
the ISS. For GSE purposes, ground use of the ExPA is 
documented in a Memorandum Of Understanding (MOU). 
The delivery and sustaining engineering for the ExPA was 
provided by the ISS Vehicle Office (OB), and ensuring its 
safety and protection during the SCaN Testbed’s integration 
and testing was essential. 



Figure 2: SCAN Testbed integrated onto the ExPA 
2 GSE CERTIFICATION PROCESS 

Prior to the AI&T phase of flight system development, 
standard NASA-STD-5005C, Standard For The Design And 
Fabrication Of Ground Support Equipment, was tailored in 
order to ensure that the design, fabrication, and testing of 
CoNNeCT ’s Ground Support Equipment (GSE) was robust, 
safe, reliable, maintainable, supportable, and cost-effective. 
This tailoring was based on a criticality review by GRC’s 
Safety and Mission Assurance (S&MA) and Engineering 
organizations. The tailoring involved the application of the 
appropriate Requirements, S&MA discipline expertise, and a 
Configuration Management system (to retain a record of the 
analysis and documentation). This paper focuses on the 
S&MA portion of the NASA-STD-5005C tailoring. 

2. 1 The NASA Standard 

The Standard For The Design And Fabrication Of Ground 
Support Equipment, NASA-STD-5005C, states that “This 
Standard establishes top-level requirements and guidance for 
design and fabrication of ground support equipment (GSE) to 
assist National Aeronautics and Space Administration 
(NASA) space flight programs/projects in providing robust, 
safe, reliable, maintainable, supportable, and cost-effective 
GSE.” The SCaN Testbed employed this Standard to develop 
its policy on GSE. 

It must be noted that the application of this Standard to 
NASA space flight programs is at the discretion of the 


program. This Standard advocates a set of GSE design 
requirements for NASA programs and projects. This Standard 
is intended for use in establishing uniform engineering 
practices and methods and ensuring that essential requirements 
are included in the design, procurement, and fabrication of 
GSE used to support the operations of receiving, 
transportation, handling, assembly, inspection, test, checkout, 
service, and launch, of payloads at NASA’s integration and 
launch sites. 

2.2 Tailoring 

NASA-STD-5005C itself suggests that it is intended to, 
and indeed should, be tailored by program specifications to 
meet specific program, and project needs and constraints 
based on a criticality review by Safety and Mission Assurance 
(SMA) according to program and Center procedures. Just 
such a review was conducted by the SCaN Testbed’s Chief 
Engineer and SMA Lead and determined that the following 
activities will be performed for the certification of GSE. 

For CoNNeCT designed GSE: 

The technical requirements of 5005C are reviewed and 
approved by engineering for applicability to the specific piece 
of GSE. 

1 . Qualification testing of the GSE is performed and 
documented 

2. The applicable technical requirements are verified by the 
cognizant/responsible engineer 

3. The materials and processes, safety, and quality 
requirements are verified by the S&MA 

4. All certification evidence is compiled into a certification 
package which is reviewed by Engineering and S&MA 
for completeness. The package is then entered into the 
CoNNeCT Configuration Management System. 

5. Certified GSE will be tagged with a green label that states 
it is CoNNeCT certified GSE. 

For Commercial Off the Shelf (COTS) GSE : 

1. Vendor documentation is evaluated for acceptability from 
a materials and processes (M&P) and a safety standpoint 

2. Vendor test results are evaluated for acceptance 

3. A post shipment inspection is performed upon arrival at 
GRC for packaging and appropriate paperwork 

4. A GRC acceptance test is performed. 

5. All certification evidence including vendor 
documentation is compiled into a certification package 
which is reviewed by Engineering and S&MA for 
completeness. The package is then entered into the 
CoNNeCT Configuration Management System. 

6. Certified COTS GSE will be tagged with a green label 
that states it is CoNNeCT certified GSE. 

For in-house (GRC built) GSE Cables: 

Certification of the in house cables is completed when the 
as manufactured cable process plan has been closed with 
engineering and quality assurance signatures. The cable 
process plans include and document closure of all cable build 
and test requirements. 


3 ASSEMBLY, INTEGRATION, AND TEST 


By following the tailored lists of activities for 
certification, the SCaN Testbed was afforded an acceptable 
level of protection from GSE induced failures, faults, defects, 
etc. during the AI&T phase of development. Figure 3 shows 
the SCAN Testbed/ExP A, Radios and Infrastructure 
Components. 
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Figure 3: SCAN Testbed, ExPA, Radios and 
Infrastructure 

Because of the nature of the MOU with the ISS, the 
configuration as depicted in Figure 3, was only applicable to 
the following system level tests: Thermal/ Vacuum (TV AC) 
testing, Electromagnetic Interference/Electromagnetic 
Compatibility (EMI/EMC) testing, and later portions of 
Tracking and Data Relay Satellite System (TDRSS) 
Compatibility testing. The ExPA had already undergone 
System level vibration testing and retesting it integrated to the 
SCaN Testbed was not allowed per the MOU. 

3.1 Vibration Testing 

System level vibration testing assessed the structural 
integrity of the Flight System and provided the appropriate 
data to verify through a combination of testing and follow-on 
analysis that the appropriate ground handling, launch, and on- 
orbit structural requirements were met. 

3.2 Thermal/Vacuum Testing 

The primary purpose of system level thermal vacuum test 
was to verify aspects of the flight hardware function, stimulate 
latent hardware defects, validate the thermal model and the 
test provided the opportunity to characterize the system 
performance at simulated on-orbit environmental conditions. 
TVAC testing imposed environmental stresses upon the flight 
system in order to demonstrate design robustness and 
workmanship integrity over the maximum system level 
thermal design conditions. The test was designed to detect 
flaws in system level design, parts, processes, and 
workmanship. 


3. 3 ElectroMagnetic Interference / ElectroMagnetic 
Compatibility Testing 

The purpose of system level EMI-EMC testing was to 
demonstrate that the flight system was operationally 
compatible with applicable electrical power sources and 
electromagnetic environments of the H-II Transfer Vehicle 
(HTV) and International Space Station (ISS). 

3.4 TDRSS Compatibility Testing 

Compatibility testing provided a means of verifying the 
compatibility of the SCaN Testbed’s communications 
infrastructure with the service infrastructure provided by 
NASA’s Space Network (SN) and Near Earth Network 
(NEN). This testing verifies that the new user will not harm 
SN or NEN communications assets and / or interfere with 
other users (excessive power levels, frequency drift, etc.). 

4 RELIABILITY ANALYSIS 

The reliability analysis that was performed for the AI&T 
phase of the CoNNeCT project was focused on the GSE and 
consisted of FMEAs, PHA, and parts quality searches. The 
parts quality searches employed 2 databases to ensure that no 
suspect parts were incorporated into the supporting equipment. 
The 2 databases were GIDEP (Government-Industry Data 
Exchange Program) for aerospace heritage, [2] and CP SC 
(Consumer Product Safety Commission) for commercial 
heritage. The FMEA’s format followed the NASA GRC 
Work Instruction, GLWI-QE-8720.2.[3] 

4. 1 GSE System Block Diagrams 

System block diagrams representing the particular GSE 
system being certified to be interfaced to the flight system 
were used extensively. As an example, Figure 4 shows a 
simple system block diagram for a GPS test of the JPL SDR. 


CONFIGURATION 1: 

PASSIVE TEST 

FOR PERFORMANCE JPL GSE 




Figure 4: GSE Block Diagram for a GPS test on JPL SDR 

Note that specific proprietary or limited distribution 
performance data has been edited out of the original system 
block diagram for this paper. These diagrams were used to 






feed the analyzes for the FMEAs and PHAs, with the actual 
blueprints and drawings serving as backups for more detail. 
Because of the dynamic nature of the SCaN Testbed test and 
verification program, maintenance of currency and relevancy 
of the specific diagram was not a trivial task. Further details 
are provided in the Configuration Management section below. 

4.2 FMEAs 


Band TSIM with a Load Circuit presented in the Table 1 
FMEA. Hazards analyzed were: collision, contamination of 
the workplace, corrosion, electric shock and electric damage, 
explosion, fire, temperature extremes, radiation, injury/illness, 
and loss of capability to the flight system. These hazards were 
specifically picked to satisfy NASA requirements. 

Table 2: Ka-Band TSIM PHA 


Perhaps the best example of the GSE certification 
activities working to protect the Flight System was when a 
Failure Modes and Effects Analysis for the Ka-Band Tracking 
and Data Relay Satellite Simulator (TSIM) revealed that a 
potentially unacceptable problem existed. This caused the 
project’s SMA Lead and Chief Engineer to hold off on 
approving the Certification of the GSE until corrective action 
was taken to fix this potential hazard. An FMEA update was 
performed to account for the addition of a Diplexer Circuit 
Table 1 : Ka-Band TSIM FMEA 


ID 

Subsystem 

Conn/Pin 

I/O 

Function/Signal 

Characteristics 

Mode 

Causes 

Failure Effects 

Criticality 

Mitigation 

1 

Diplexer 

Circuit 

Return 1 ink 
Rx 


Path for 
attenuated 
TWTA output 
signal to Down 
Converter 

Reflection 
of Return 
Link signal 

Load 

mismatch from 
open/shorted 
connectors in 
Return Link 

Loss of transmission of TWTA 
output signal to the TSIM. 

Reflected signal will be 
attenuated by 60 dB in Ka- 
Band RF Load Circuit and will 
not damage the Harris SDR 
LNA (overload of LNA 
possible) 

* 

Inspection, 

acceptance 

test 

2 

Diplexer 

Forward 

0 

Path for 
combined Up 

Converter output 
signal and 
injected RF 
interferer signal 
to Hams SDR 
LNA 

Excess 

signal 

power from 
Up 

Converter 

Malfunction or 
incorrect 
adjustment of 
Up Converter 

Possible damage to or 
overloading of LNA 

3 

Confirm 

maximum 

output power 

< -31 dBm 

3 

■ssr 


o 

Path for 
combined Up 

Converter output 

signal and 
injected RF 
interferer signal 
to Hams SDR 
LNA 

Excess 

injected RF 

interferer 

signal 

Malfunction or 
incorrect 
adjustment of 
signal 
generator 

Possible damage to or 
overloading of LNA 

3 

Linit'momtor 

output of 

generator 

4 

Diplexer 

Circuit 

lTtx 

o 

Path for 
combined Up 
Converter output 
signal and 
injected RF 
interferer signal 
to Harris SDR 
LNA 

Output 
connector 
open or 
shorted 

Damage to 
connector, 
poor 

workmanship 

Loss of transmission of TSIM 
signal to Harris SDR 

3 

Visual 

inspection 


and use of the Ka-Band TSIM with a Ka-Band Radio 
Frequency Load Circuit. The short FMEA sheet is shown in 
Table 1 below. 

A failure mode was identified that potentially could burn 
up the Harris LNA (Low Noise Amplifier) if the input signal 
from the Up Convertor and RF signal generator exceeded -3 1 
dBm. Because this was a modification to an existing GSE 
configuration and FMEA, the potential hazard would have 
been easy to overlook had a new Failure Modes and Effects 
Analysis not been performed, modifications to the GSE (via 
“redlining” of test procedures, and the placement of warning 
stickers to protect the flight hardware) before being interfaced 
to the Flight System 


TL1GHT PRELIMINARY HAZARD ANALYSIS 

C ommunications, Navigation, and Networking reConfigurable Testbed (CoNNeCT), RF Load Circuit 

John Biinkman 


Hazard Category Affected Cause Effect Hazard Recommendations. Solutions 

Description Systems Level / 

Assessment 


1.0 Collision: Hazards which occur when GSE elements fail, break loose, or are allowed to make uncontrolled contact with other elements, typically resulting in the propagation of 

health risk to personnel. 


Level 


Review of material usage by GRC M&P 


Damage to equipment 


Personnel injuiy. 


Level: 


Fan contained witiiin housing and two finger 


Fan will not be operated outside of acceptable 
range 


Collision or inadvertent 
contact with broken off 
pieces of rotating or 


Damage to equipment 


Review of material usage by GRC M&P. 
Fan contained widiin housing and two finger 


2.0 Contamination of Workspace: Release of toxic, flammable, oxygen-depleting, corrosive, condensible, or particulate matter into the workspace where the GSE will be utilized. 


Not Applicable. No contamination hazard exists. 


3.0 Corrosion: The structural degradation of metallic and nonmetallic equipment, possibly resulting from leakage of caustic'cotrosive materials, joining of dissimilar metals or emir 


Not Applicable. No sources of corrosion. 


4.0 Electric Shock and Electric Damage: Personnel injury or fatality and or adverse effect on performance and operation of equipment because of contact with a live circuit, either f 

measures, procedural error or inadequate design 


6 CONFIGURATION MANAGEMENT 

In order to keep the flight payload protected from damage 
due to the inevitable changes and additions to equipment that 
occur during integration and testing, good Configuration 
Management (CM) was maintained. The certification package 
that was entered into the CoNNeCT Configuration 
Management System was modified by the cognizant engineer. 
This may have included new drawings, diagrams, Hazard 
Analysis, FMEAs, and acceptance tests, as appropriate. The 
package was then resubmitted to the SCaN Testbed’s Chief 
Engineer and SMA Lead for review and comments. Once 
concurred and accepted, the modification to the original 
package was released and filed in the project’s electronic 
document tracking and distribution CM system. 
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5 SYSTEM SAFETY 
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